Passwords are the keys to our digital lives in the modern world. Over the years, information technology professionals and experts have seen an evolution in password security. Gone are the days where ‘1234’ and ‘password’ are acceptable passwords. Gone are the days where you can get away with leaving your passwords on a post-it note next to your computer. Gone are the days where your password security is an afterthought.
But, are those days really gone? As much as we would all like to say that they are gone, they truthfully are not. Countless people still use very predictable passwords to this day. Many will leave their passwords out in the open or make them easily guessable/predictable. Progress and awareness has definitely been made when it comes to password security as it relates to cyber security, but, unfortunately, there are still many who are vulnerable.
Why does this matter? Asides from the consequences of weak cyber security and password security, why should we be super careful with passwords? Everybody should be cautious about their password for several reasons. For starters, you can never know how passwords are stored in the various databases and services you frequently access and use. The two common cases for how passwords are stored are as follows:
- Stored as plaintext, where you are 100% always at risk and should consider NOT using that service. There’s no way to tell if a service you’re using will use this, but it is thankfully rare to still see these.
- Stored as a hash, where you should feel a little bit more at ease. In these cases, even if the service you are using is compromised or hacked, all the attackers will receive is a hashed version of your password. This is still effective for them, and I will describe this in greater detail. There are varying levels of hash security, for example MD-5, SHA-1, SHA-2, and SHA-3. Discussion of these various hashing algorithms are currently beyond the scope of this post, but as an aside, MD-5 and SHA-1 should no longer be used (they are susceptible and hackable).
Hashed Password Cracking Methodology
So, the good news for us consumers is that most companies do not store their customers’ passwords as plaintext in their database. However, that should not completely set you at ease. Major companies consistently get hacked through various means, and user authentication databases get leaked like clockwork. What that means is that there are several “lists” of users’ passwords on the web for hackers to use as reference points, or “dictionaries.”
Of course, one might say that it is still okay. If a company was studious enough, they stored the password as a hash, so it might look something like this in the database:
This hashcode is the SHA-2 generated equivalent of the string ‘password’. For reference, you can use this website to generate hash codes. On the hash-level surface, this might look like a really difficult password for a hacker to crack. However, in reality, this is one of the simplest passwords to crack. This hash is what is stored in the database, and these are commonly leaked when companies and services get hacked.
It can be amazingly easy for a hacker to crack a password if given the hashed version. Powerful computers and servers that are capable of handling the big data, data analytics, deep learning, artificial intelligence, crypto/blockchain, and other high-processing intensive technologies can also be used to crack a hash quickly. Let’s take for example a server that is set up with 4 NVIDIA GeForce GTX TITAN X graphics cards, each with 12 GB of VRAM. This server also has installed ‘cuda hashcat’; with this configuration, the server can run 40 billion hashes per second (each graphics card capable of 10 billion/sec).
There is a concept known as the characterset for passwords. This can best be summarized as the complexity of a password. Factors that determine the security strength of a password are common knowledge; for example, password length, case-sensitivity, alphanumeric characters, symbols, and combinations thereof can make password cracking algorithms much more inefficient. A discussion on password security, and how to create a password that is resilient against the following attacks, is a topic for another post.
The simplest of password cracking algorithms is the trivial brute force approach. Essentially, this brute force algorithm will generate a table of possible strings that look a little bit like this:
aaaaaaa aaaaaab aaaaaac aaaaaad …
This might seem basic and impractical, but at 40 billion hashes per second, this algorithm can quickly break simple passwords. The algorithm is essentially a script that generates a massive amount of hashes while comparing each of the hashes to a source hash table. The source hash table would be a recently leaked, breached, or hacked password database that could be found online. As an estimate, passwords that can be breached using brute force can be cracked in a matter of seconds.
The method used more commonly is the dictionary attack. Hackers maintain a list of previously used or common passwords along with some string manipulations as a basis of comparison. This slows the search a bit more for the algorithm, but is more effective at cracking passwords than the brute force method. For string manipulations, dictionary attacks conducted by hackers know the popular techniques (“rules”) that people use to increase their password’s security. You have probably seen these kinds of substitutions or insertions before:
@ = a 3 = e $ = s 0 = o 1 = l Numerals or symbols, where locality follows a pattern. (beginning or end of string) Birthdates / significant years
Password cracking algorithms can account for these substitutions at the cost of a slight loss of performance and time. These substitutions, along with other inserted symbols and complex characters, should still be used; however, that does not mean that they will be unbreakable.
One of the worst things for all customers when it comes to password security is when a large company is breached. These are real, legitimate passwords that normal users and consumers use. When these attacks are conducted, hackers learn useful information on what passwords look like. From here, hackers can input the entire hacked database of passwords into a dictionary, and analyze patterns in the database to form new rules for string manipulation. Using these methods might be “slower” in terms of CPU/GPU efficiency, but, it is actually astronomically more effective at cracking passwords than most other methods.
There are several tools and methods that hackers can utilize to gain unauthorized access to accounts and data. Unfortunately for consumers, there’s not much we can do to improve our security asides from having good cyber awareness, strong passwords, and vigilant account alerts. Luckily, cyber security awareness is becoming more pervasive as companies shift to having constant cyber security evaluations and improved password hashing security.